New TDS attempted malware delivery to 600,000 users


Tuesday, 12 April, 2022
New TDS attempted malware delivery to 600,000 users

Threat researchers at digital security and privacy company Avast have discovered a new malicious Traffic Direction System (TDS) — Parrot TDS — that has infected web servers hosting more than 16,500 websites. Affected sites include university and local government sites, as well as personal websites and providers of adult content.

Website appearances are altered to show a phishing page claiming the user needs to update their browser. When a user runs the browser update file offered, a Remote Access Tool (RAT) is downloaded, giving attackers full access to victims’ computers.

“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast.

“At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS.”

Weak credentials give Parrot TDS wide reach

Rubin and fellow researcher Pavel Novak believe attackers are exploiting web servers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.

“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We therefore suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Novak, ThreatOps Analyst at Avast.

“The robustness of Parrot TDS and its huge reach make it unique.”

Parrot TDS allows attackers to set parameters to only display phishing pages to potential victims who meet certain conditions, which look at users’ browser type, cookies and which website they came from. These parameters are set so that each user is only shown a phishing page once, to prevent Parrot TDS’s servers from overloading.

From 1 to 29 March 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS, with 10% of users (6000) in this timeframe based in Australia.

FakeUpdate campaign

The malicious FakeUpdate campaign uses JavaScript to change site appearances to display phishing messages claiming the user needs to update their browser.

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. This is an act of defence to determine whether or not to display the phishing message — among other things, the scan checks which antivirus product is on the device. The file being offered as an update file is really a remote access tool called NetSupport Manager.

The bad actors behind the campaign have configured the tool in such a way that the user has very little chance of noticing it. If the file is run by the victim, the attackers gain full access to their computer. The cybercriminals behind the FakeUpdate campaign can change the payload delivered to victims at any time.

In addition to the FakeUpdate campaign, Avast researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie these to Parrot TDS.

How developers can protect their servers

  • Scan all files on the web server with an antivirus program, like Avast Antivirus.
  • Replace all JavaScript and PHP files on the web server with original files.
  • Use the latest CMS version.
  • Use the latest versions of installed plugins.
  • Check for automatically running tasks on the web server (for example, cron jobs).
  • Check and set up secure credentials, and use unique credentials for every service.
  • Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords.
  • When applicable, set up 2FA for all the web server admin accounts.
  • Use available security plugins (WordPress, Joomla).

How site visitors can avoid falling victim to phishing

  • If the site being visited appears different than expected, site visitors should leave the site and not download any files or enter any information.
  • Only download updates directly from browser settings, never via any other channels.

The full analysis can be found on the Decoded blog: https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/.

Image credit: ©stock.adobe.com/au/enzozo

Related News

Commvault arranges to buy Appranix

Cyber resilience provider Commvault plans to leverage its acquisition of Appranix to help...

Fujitsu establishes security consulting division

Fujitsu's new digital security consulting division will help organisations prepare for and...

Unstoppable Domains joins GlobalBlock initiative

Web3 domain name service provider Unstoppable Domains has joined the GlobalBlock initiative to...

Content from other channels on our network

Monash University home to three electron microscopes

Hidden semiconductor activity spotted by researchers

Researchers develop programmable photonic processor

UV broadband spectrometer enhances air pollutant analysis

Novel material improves stability, efficiency of PSCs

Million-dollar rooftop solar for Kimberley hospital

Protecting wildlife from electrical assets — and vice versa

Immersive VR training for electricians

Future Made in Australia Act welcomed by climate orgs

An interconnected ASEAN Power Grid: report

Antenna upgrade enables better sewer management

60 million Aust drone flights predicted for 2043

The fire on Marley's Hill

Sanctions on Hytera halted by appeals court

MXene-based compound to enable 3D-printed antennas

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd